diff --git a/private/netd.te b/private/netd.te
index a00cb6976..4c129b7e2 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -12,6 +12,10 @@ domain_auto_trans(netd, clatd_exec, clatd)
 # the map created by bpfloader
 allow netd bpfloader:bpf { prog_run map_read map_write };
 
+# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
+# TODO: Remove this permission when 4.9 kernel is deprecated.
+allow netd self:key_socket create;
+
 get_prop(netd, bpf_progs_loaded_prop)
 
 # Allow netd to write to statsd.
diff --git a/private/system_server.te b/private/system_server.te
index 9b986b124..68a8f55ec 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -879,10 +879,6 @@ with_asan(`
 allow system_server fs_bpf:dir search;
 allow system_server fs_bpf:file { read write };
 allow system_server bpfloader:bpf { map_read map_write };
-# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
-# TODO: Remove this permission when 4.9 kernel is deprecated.
-allow system_server self:key_socket create;
-
 
 # ART Profiles.
 # Allow system_server to open profile snapshots for read.